Chinese Group TAG-112 Linked to Cyberattacks on Tibetan Websites
/ 3 min read
Quick take - A Chinese state-sponsored threat group known as TAG-112 has been linked to cyberattacks on Tibetan websites, exploiting vulnerabilities to deploy malware and highlighting ongoing surveillance efforts by the Chinese government against perceived threats.
Fast Facts
- TAG-112, a Chinese state-sponsored threat group, has targeted Tibetan websites, including Tibet Post and Gyudmed Tantric University, using vulnerabilities in the Joomla CMS.
- The group implanted malicious JavaScript that prompted users to download a fake security certificate, which deployed Cobalt Strike malware upon opening.
- TAG-112 is linked to other Chinese groups like TAG-102 but is recognized as a distinct entity due to differences in attack tactics and maturity.
- The group’s strategy included spoofing TLS certificate errors to trick users, and it uses Cloudflare to obscure its server IP addresses, complicating traceability.
- Recommendations to mitigate risks from such cyber threats include configuring intrusion detection systems, user training, and monitoring network traffic for signs of compromise.
TAG-112 Cyberattacks Target Tibetan Websites
A Chinese state-sponsored threat group, identified as TAG-112, has been linked to a series of cyberattacks targeting Tibetan websites. Among the affected sites are Tibet Post and Gyudmed Tantric University.
Exploitation of Vulnerabilities
The group exploited vulnerabilities in the Joomla content management system (CMS) to implant malicious JavaScript on these websites. Visitors to the compromised sites were prompted to download a fake security certificate. When opened, this certificate deployed the Cobalt Strike malware, a penetration testing tool often misused by attackers for remote access and command execution.
TAG-112’s operations are connected to other Chinese state-sponsored groups, particularly TAG-102, also known as Evasive Panda. Despite these connections, TAG-112 has been recognized as a distinct entity due to differences in attack maturity and tactics.
Tactics and Techniques
A notable aspect of TAG-112’s strategy involved spoofing a Transport Layer Security (TLS) certificate error to trick users into downloading malware. The malicious JavaScript employed by TAG-112 is designed to detect the user’s operating system and browser type, ensuring compatibility before executing the attack.
The command-and-control (C2) domain associated with TAG-112 is update[.]maskrisks[.]com. The primary domain, maskrisks[.]com, was registered in March 2024. TAG-112 uses Cloudflare to obscure its server IP addresses, complicating efforts to trace its activities.
Insikt Group has identified six distinct samples of Cobalt Strike Beacon linked to TAG-112, indicating a focus on maintaining operational flexibility. However, TAG-112’s operations demonstrate less sophistication compared to TAG-102, suggesting it may represent a less experienced subgroup within Chinese cyber-espionage efforts.
Implications and Recommendations
The campaign targeting Tibetan organizations highlights ongoing efforts by the Chinese government to surveil and control ethnic and religious minority groups perceived as threats to stability. To mitigate risks from such cyber threats, several recommendations have been made:
- Configure intrusion detection and prevention systems.
- Provide user training on file handling.
- Enable detection measures for Cobalt Strike.
- Monitor network traffic for signs of compromise.
TAG-112’s activities reflect a broader strategy of surveillance and control, indicating that other groups and regions with similar risk profiles may also be potential targets for state-sponsored cyberattacks.
Original Source: Read the Full Article Here
